Skip to main content

SOGo CVE-2026-8851

| EUVDEUVD-2026-30804 HIGH
SQL Injection (CWE-89)
2026-05-18 VulnCheck GHSA-7vv4-j48f-wcx7
8.6
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
8.6 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

3
Source Code Evidence Fetched
May 18, 2026 - 21:32 vuln.today
Analysis Generated
May 18, 2026 - 21:32 vuln.today
CVSS changed
May 18, 2026 - 21:22 NVD
8.1 (HIGH) 8.6 (HIGH)

DescriptionCVE.org

SOGo 5.12.7 contains a SQL injection vulnerability in the Access Control List management functionality that allows authenticated users to extract arbitrary data from the database by injecting SQL subqueries through the uid parameter of the addUserInAcls endpoint. Attackers can inject malicious SQL code to write extracted data into the sogo_acl table and retrieve it through the /acls API, establishing an out-of-band data exfiltration channel.

AnalysisAI

SQL injection in SOGo 5.12.7 (Alinto's open-source groupware/webmail platform) allows authenticated users to exfiltrate arbitrary database contents by injecting subqueries through the uid parameter of the addUserInAcls endpoint, then reading the staged data back via the /acls API. The flaw, reported by VulnCheck (with credit to dninh of SACOMBANK), is fixed in 5.12.8; no public exploit identified at time of analysis and the CVE is not on CISA KEV.

Technical ContextAI

SOGo is a groupware server providing webmail, calendaring, and address-book services, commonly fronted by Apache/nginx and backed by PostgreSQL or MySQL where the sogo_acl table stores Access Control List entries for shared folders. CWE-89 (Improper Neutralization of Special Elements used in an SQL Command) here manifests because the addUserInAcls endpoint concatenates the user-supplied uid parameter into the ACL INSERT/UPDATE statement without parameterization, letting an attacker craft a subquery whose result is written into the acl row and then read back through the standard /acls retrieval API - a clean out-of-band channel. CPE cpe:2.3:a:alinto:sogo_webmail:*:*:*:*:*:*:*:* indicates all prior SOGo Webmail builds are in scope, and the vendor release notes confirm the issue affects any previous SOGo version.

RemediationAI

Vendor-released patch: SOGo 5.12.8 - upgrade immediately following the release notes at https://www.sogo.nu/news/2026/sogo-v5128-released.html (note the vendor warns of possible regressions, mainly in the mail view, after upgrade). If patching must be deferred briefly, restrict reachability of the SOGo web UI to trusted networks or VPN, block or reverse-proxy-filter requests to the /SOGo/so/*/Calendar/.../addUserInAcls and /acls endpoints for non-administrative users, audit the sogo_acl table for anomalous uid values containing SQL metacharacters or subquery syntax, and rotate any credentials or secrets stored in the same database since arbitrary contents may have been read; each of these controls breaks ACL sharing workflows for affected users and should be lifted once 5.12.8 is deployed.

Share

CVE-2026-8851 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy